A
AiTechWorlds
AiTechWorlds
Firewall types, iptables/UFW rules, network zones, IDS vs IPS, Fail2Ban, ModSecurity WAF, and log analysis.
| Control | Role | Acts On |
|---|---|---|
| Firewall | Filter traffic by rules | Allow / Block |
| IDS (Intrusion Detection System) | Detect threats, generate alerts | Alert only |
| IPS (Intrusion Prevention System) | Detect and block threats | Block automatically |
| WAF (Web Application Firewall) | Filter HTTP/HTTPS traffic | Allow / Block at Layer 7 |
| SIEM | Correlate logs and alerts | Analyze and alert |
| Type | OSI Layer | Inspects | Strengths |
|---|---|---|---|
| Packet filter | Layer 3β4 | IP, port, protocol | Fast, simple |
| Stateful inspection | Layer 3β4 | Connection state | Tracks sessions |
| Application (proxy) | Layer 7 | Payload content | Deep inspection |
| NGFW (Next-Gen) | Layer 3β7 | App, user, threat intel | Unified policy |
| WAF | Layer 7 | HTTP headers, body, URL | Web app protection |
# List current rules
iptables -L -v -n
# Allow established connections (stateful)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow SSH from specific subnet only
iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT
# Allow HTTP and HTTPS
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Drop all other inbound traffic (default deny)
iptables -A INPUT -j DROP
# Allow outbound (permissive for now)
iptables -A OUTPUT -j ACCEPT
# Log dropped packets before dropping
iptables -A INPUT -j LOG --log-prefix "DROP: " --log-level 4
iptables -A INPUT -j DROPufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp # SSH
ufw allow 80/tcp # HTTP
ufw allow 443/tcp # HTTPS
ufw allow from 10.0.0.0/8 to any port 3306 # MySQL from internal only
ufw enable
ufw status verboseInternet
β
βΌ
[Edge Firewall / NGFW]
β
βββ DMZ (Demilitarized Zone)
β βββ Web Server
β βββ Mail Server
β βββ Load Balancer
β
[Internal Firewall]
β
βββ Application Zone
β βββ App Servers
β
βββ Database Zone
β βββ DB Servers (no direct internet)
β
βββ Management Zone
βββ Admin hosts, logging, monitoring| Feature | IDS | IPS |
|---|---|---|
| Position | Out-of-band (network tap) | Inline (traffic must pass through) |
| Response | Alert / log only | Block + alert |
| False positive risk | Low impact (just an alert) | High impact (blocks legitimate traffic) |
| Performance impact | Minimal | Higher (latency) |
| Deployment difficulty | Easier | Requires careful tuning |
| Method | How It Works | Strengths | Weaknesses |
|---|---|---|---|
| Signature-based | Match known attack patterns | High accuracy for known threats | Misses zero-days |
| Anomaly-based | Detect deviation from baseline | Catches novel attacks | High false positive rate |
| Policy-based | Violates defined security policy | Customizable | Requires manual policy definition |
| Heuristic | ML/statistical analysis | Adaptive | Complex to tune |
| Tool | Type | Deployment | Open Source? |
|---|---|---|---|
| Snort | Network IDS/IPS | Inline or passive | Yes |
| Suricata | Network IDS/IPS | Inline or passive | Yes |
| Zeek (Bro) | Network traffic analyzer | Passive | Yes |
| OSSEC/Wazuh | Host-based IDS (HIDS) | Agent on hosts | Yes |
| Fail2Ban | Host-based (log analysis) | Agent on server | Yes |
# /etc/fail2ban/jail.local
[DEFAULT]
bantime = 3600 # ban for 1 hour
findtime = 600 # within 10 minute window
maxretry = 5 # after 5 failures
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
logpath = /var/log/nginx/error.log
maxretry = 3WAFs operate at Layer 7 and protect web applications specifically.
| WAF Type | Examples | Notes |
|---|---|---|
| Network WAF | F5 BIG-IP, Barracuda | Hardware/VM appliance |
| Host-based | ModSecurity (Apache/Nginx) | Open source, flexible |
| Cloud WAF | AWS WAF, Cloudflare WAF, Fastly | Easy deployment |
# nginx with ModSecurity
load_module modules/ngx_http_modsecurity_module.so;
server {
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/modsecurity.conf;
# OWASP CRS blocks SQLi, XSS, path traversal, etc.
}Allowlisting: Only permit known-good patterns
+ Lower false negatives
- High maintenance
Blocklisting: Block known-bad patterns
+ Lower false positives
- Misses novel attacks
Rate limiting: Block excessive requests
- Prevents DDoS, brute force, scraping
Geo-blocking: Block by country/region
- Reduce attack surface for unused regions# View UFW logs
journalctl -u ufw -f
# Analyze denied connections
grep "UFW BLOCK" /var/log/ufw.log | awk '{print $12}' | sort | uniq -c | sort -rn | head 20
# Top source IPs attempting SSH
grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn | head 10
# Active connections (check for unexpected outbound)
ss -tunap | grep ESTABLISHED
netstat -antp | grep LISTENDownload Firewall, IDS & IPS: Security Guide
Get this note + 100s more free on Telegram
Get more notes like this daily on Telegram!
Free study notes, cheat sheets & AI tips
Join AiTechWorlds on Telegram and get daily AI tips, prompt engineering templates, coding resources, and exclusive content β 100% free!
No spam. Leave anytime.